diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md new file mode 100644 index 000000000..53350df90 --- /dev/null +++ b/docs/configuring-playbook-element-call.md @@ -0,0 +1,64 @@ +# Setting up Element Call (optional) + +The playbook can install and configure [Element Call](https://github.com/vector-im/element-call) for you. + +Element Call is a WebRTC-based video and voice calling platform that integrates with Matrix clients such as Element Web. It provides secure, decentralized communication with support for video calls, audio calls, and screen sharing. + +See the project's [documentation](https://github.com/vector-im/element-call) to learn more. + +## Decide on a domain and path + +By default, Element Call is configured to be served on the Matrix domain (`call.DOMAIN`, controlled by the `matrix_element_call_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run Element Call on another hostname or path, use the `matrix_element_call_hostname` and `matrix_element_call_path_prefix` variables. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `call.example.com` +- `sfu.example.com` +- `sfu-jwt.example.com` + +## Adjusting the playbook configuration + +NOTE: Enabling Element Call will automatically enable the [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) and Livekit Server services. + + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_element_call_enabled: true +``` + +## Installing + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` + +## Usage + +Once installed, Element Call integrates seamlessly with Matrix clients like [Element Web](configuring-playbook-client-element-web.md). When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your LiveKit JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`). + +Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.example.com`). + +## Required Firewall and Port Forwarding Rules + +To ensure the services function correctly, the following firewall rules and port forwarding settings are required: + +LiveKit: + +- Forward UDP ports 50100:50120 to the Docker instance running LiveKit. +- Forward TCP port 7881 to the Docker instance running LiveKit. + +Element Call: + +- Forward TCP port 443 to the server running Traefik (for Element Call). + +Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. + +## Additional Information + +Refer to the Element Call documentation for more details on configuring and using Element Call. diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md new file mode 100644 index 000000000..961f72c78 --- /dev/null +++ b/docs/configuring-playbook-jwt-service.md @@ -0,0 +1,40 @@ +# Setting up JWT Service (optional) + +The playbook can install and configure [LiveKit JWT Service](https://github.com/element-hq/lk-jwt-service) for you. + +LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU. + +See the project's [documentation](https://github.com/element-hq/lk-jwt-service/) to learn more. + +## Decide on a domain and path + +By default, JWT Service is configured to be served: + +- on the Matrix domain (`matrix.example.com`), configurable via `matrix_livekit_jwt_service_hostname` +- under a `/lk-jwt-service` path prefix, configurable via `matrix_livekit_jwt_service_path_prefix` + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: + +```yaml +matrix_livekit_jwt_service_enabled: true +``` + +## Installing + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` + +## Usage + +Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element Web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`). + +## Additional Information + +Refer to the LiveKit JWT-Service documentation for more details on configuring and using JWT Service. diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md new file mode 100644 index 000000000..48aa4c36f --- /dev/null +++ b/docs/configuring-playbook-livekit-server.md @@ -0,0 +1,55 @@ +# Setting up LiveKit (optional) + +The playbook can install and configure [LiveKit](https://github.com/livekit/livekit) for you. + +LiveKit is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications. + +See the project's [documentation](https://github.com/livekit/livekit) to learn more. + +## Decide on a domain and path + +By default, LiveKit is configured to be served on the Matrix domain (`sfu.example.com`, controlled by the `livekit_server_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run Livekit on another hostname or path, use the `livekit_server_hostname` variable. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `sfu.example.com` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: + +```yaml +livekit_server_enabled: true + +# Set a secure key for LiveKit authentication +livekit_server_dev_key: 'your-secure-livekit-key' +``` + +## Installing + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` + +## Usage +Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. + +## Required Firewall and Port Forwarding Rules + +To ensure the services function correctly, the following firewall rules and port forwarding settings are required: + +LiveKit: + +- Forward UDP ports 50100:50200 to the Docker instance running LiveKit. +- Forward TCP port 7881 to the Docker instance running LiveKit. + +Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. + +## Additional Information + +Refer to the Livekit documentation for more details on configuring and using Livekit. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index d1b9993ec..2b2a4ecb3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -212,6 +212,12 @@ Services that help you in administrating and monitoring your Matrix installation Various services that don't fit any other categories. +- [Setting up the Element Call server](configuring-playbook-element-call.md) (optional) + +- [Setting up the LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (optional) + +- [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional) + - [Setting up Synapse Auto Invite Accept](configuring-playbook-synapse-auto-accept-invite.md) - [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86572a0f9..fd6279e89 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -440,6 +440,12 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else []) + + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-livekit-jwt-service.service', 'priority': 3500, 'groups': ['matrix', 'livekit-jwt-service']}] if matrix_livekit_jwt_service_enabled else []) + + + ([{'name': (livekit_server_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else []) + + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) @@ -4455,7 +4461,7 @@ keydb_arch: |- # ###################################################################### -valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}" +valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) or matrix_element_call_enabled }}" valkey_identifier: matrix-valkey @@ -4523,6 +4529,14 @@ matrix_client_element_enable_presence_by_hs_url: |- matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" +matrix_client_element_features_feature_video_rooms: "{{ matrix_element_call_enabled }}" +matrix_client_element_features_feature_group_calls: "{{ matrix_element_call_enabled }}" +matrix_client_element_features_feature_element_call_video_rooms: "{{ matrix_element_call_enabled }}" +matrix_client_element_features_feature_oidc_native_flow: "{{ matrix_authentication_service_enabled }}" + +matrix_client_element_element_call_enabled: "{{ matrix_element_call_enabled }}" +matrix_client_element_element_call_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}" + ###################################################################### # # /matrix-client-element @@ -5941,8 +5955,18 @@ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "{{ # See: https://github.com/etkecc/synapse-admin/pull/126 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: "{{ matrix_synapse_admin_configuration if matrix_homeserver_implementation == 'synapse' else {} }}" +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_element_call_enabled }}" +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |- + {{ + ( + [{'type': 'livekit', 'livekit_service_url': matrix_livekit_jwt_service_public_url}] if matrix_livekit_jwt_service_enabled else [] + ) + }} + matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" +matrix_static_files_file_element_element_json_property_call_widget_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}" + matrix_static_files_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}" @@ -6049,3 +6073,126 @@ traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled e # /traefik_certs_dumper # # # ######################################################################## + + +######################################################################## +# # +# matrix-element-call # +# # +######################################################################## + +matrix_element_call_enabled: false + +matrix_element_call_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_element_call_version: "latest" # Default version; can be overridden in host_vars + +matrix_element_call_hostname: "call.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different +matrix_element_call_path_prefix: "/" # Path prefix for Element Call +matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" # Base path for storing Element Call-related files +matrix_element_call_container_image: "ghcr.io/element-hq/element-call:{{ matrix_element_call_version }}" +matrix_element_call_container_image_name_prefix: ghcr.io/ +matrix_element_call_container_image_registry_prefix: ghcr.io/ +matrix_element_call_container_image_force_pull: true + +# Docker network configuration for Element Call +matrix_element_call_container_network: "{{ matrix_addons_container_network }}" +matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + +# Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_element_call_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +######################################################################## +# # +# /matrix-element-call # +# # +######################################################################## + +######################################################################## +# # +# livekit-server # +# # +######################################################################## + +livekit_server_enabled: "{{ matrix_element_call_enabled }}" + +livekit_server_identifier: matrix-livekit-server + +livekit_server_uid: "{{ matrix_user_uid }}" +livekit_server_gid: "{{ matrix_user_gid }}" + +livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" + +livekit_server_hostname: "sfu.{{ matrix_domain }}" + +livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +livekit_server_container_network: "{{ matrix_addons_container_network }}" +livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + +livekit_server_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +livekit_server_config_keys_auto: |- + {{ + {} + | combine( + {matrix_livekit_jwt_service_environment_variable_livekit_key: matrix_livekit_jwt_service_environment_variable_livekit_secret} + if matrix_livekit_jwt_service_enabled else {} + ) + }} + +######################################################################## +# # +# /livekit-server # +# # +######################################################################## + + +######################################################################## +# # +# matrix-livekit-jwt-service # +# # +######################################################################## + +matrix_livekit_jwt_service_enabled: "{{ matrix_element_call_enabled and livekit_server_enabled }}" + +matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_livekit_jwt_service_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service" + +matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_livekit_jwt_service_container_network: "{{ matrix_addons_container_network }}" + +matrix_livekit_jwt_service_container_additional_networks_auto: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []) + + + ([livekit_server_container_network] if livekit_server_enabled and (matrix_livekit_jwt_service_environment_variable_livekit_url == livekit_server_websocket_container_url and livekit_server_container_network != matrix_livekit_jwt_service_container_network) else []) + ) | unique + }} + +matrix_livekit_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_livekit_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +matrix_livekit_jwt_service_environment_variable_livekit_url: "{{ livekit_server_websocket_container_url }}" + +matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.key', rounds=655555) | to_uuid }}" + +matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.secret', rounds=655555) | to_uuid }}" + +######################################################################## +# # +# /matrix-livekit-jwt-service # +# # +######################################################################## diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 4cea592b2..50f62fb22 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -180,6 +180,67 @@ matrix_client_element_branding_auth_header_logo_url: "{{ matrix_client_element_w # URL to Wallpaper, shown in background of welcome page matrix_client_element_branding_welcome_background_url: ~ # noqa var-naming +# Controls the `features` section of the Element Web configuration. +matrix_client_element_features: "{{ matrix_client_element_features_default | combine(matrix_client_element_features_auto, recursive=True) | combine(matrix_client_element_features_custom, recursive=True) }}" +matrix_client_element_features_default: |- + {{ + {} + + | combine( + {'feature_video_rooms': true} if matrix_client_element_features_feature_video_rooms else {} + ) + | combine( + {'feature_group_calls': true} if matrix_client_element_features_feature_group_calls else {} + ) + | combine( + {'feature_element_call_video_rooms': true} if matrix_client_element_features_feature_element_call_video_rooms else {} + ) + | combine( + {'feature_oidc_native_flow': true} if matrix_client_element_features_feature_oidc_native_flow else {} + ) + }} + +matrix_client_element_features_auto: {} +matrix_client_element_features_custom: {} + +matrix_client_element_features_feature_video_rooms: false +matrix_client_element_features_feature_group_calls: false +matrix_client_element_features_feature_element_call_video_rooms: false +matrix_client_element_features_feature_oidc_native_flow: false + +matrix_client_element_element_call_enabled: false +matrix_client_element_element_call: "{{ matrix_client_element_element_call_default | combine(matrix_client_element_element_call_auto, recursive=True) | combine(matrix_client_element_element_call_custom, recursive=True) }}" +matrix_client_element_element_call_default: |- + {{ + {} + | combine( + {'url': matrix_client_element_element_call_url} if matrix_client_element_element_call_url else {} + ) + | combine( + {'participant_limit': matrix_client_element_element_call_participant_limit} if matrix_client_element_element_call_participant_limit else {} + ) + | combine( + {'brand': matrix_client_element_element_call_brand} if matrix_client_element_element_call_brand else {} + ) + | combine( + {'use_exclusively': matrix_client_element_element_call_use_exclusively} if matrix_client_element_element_call_use_exclusively else {} + ) + }} +matrix_client_element_element_call_auto: {} +matrix_client_element_element_call_custom: {} + +# Controls the `element_call.url` setting in the Element Web configuration. +matrix_client_element_element_call_url: '' + +# Controls the `element_call.participant_limit` setting in the Element Web configuration. +matrix_client_element_element_call_participant_limit: 8 + +# Controls the `element_call.brand` setting in the Element Web configuration. +matrix_client_element_element_call_brand: "Element Call" + +# Controls the `element_call.use_exclusively` setting in the Element Web configuration. +matrix_client_element_element_call_use_exclusively: true + matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2" # By default, there's no Element Web homepage (when logged in). If you wish to have one, diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index e45e68065..8dba3e2df 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -44,5 +44,7 @@ "auth_footer_links": {{ matrix_client_element_branding_auth_footer_links | to_json }}, "auth_header_logo_url": {{ matrix_client_element_branding_auth_header_logo_url | to_json }}, "welcome_background_url": {{ matrix_client_element_branding_welcome_background_url | to_json }} - } + }, + "features": {{ matrix_client_element_features | to_json }}, + "element_call": {{ (matrix_client_element_element_call if matrix_client_element_element_call_enabled else {}) | to_json }} } diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml new file mode 100644 index 000000000..dd8bb98cb --- /dev/null +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -0,0 +1,120 @@ +--- +# Enable or disable matrix-element-call deployment +matrix_element_call_enabled: false + +matrix_element_call_scheme: https +matrix_element_call_hostname: "call.{{ matrix_domain }}" + +# Base path configuration +matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" + +# Docker network configuration +matrix_element_call_container_network: '' +matrix_element_call_container_http_host_bind_port: '' +matrix_element_call_container_additional_networks: [] # No additional networks by default + +# Docker images +matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" + +# Ports +matrix_element_call_port: "8093" + +# Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}" +matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_element_call_container_labels_traefik_priority: 0 +matrix_element_call_container_labels_traefik_entrypoints: web-secure +matrix_element_call_container_labels_traefik_tls: "{{ matrix_element_call_container_labels_traefik_entrypoints != 'web' }}" +matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` +matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +matrix_element_call_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) + }} +matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_element_call_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_element_call_container_extra_arguments: [] + +# Additional environment variables for the container +matrix_element_call_environment_variables_additional: {} + +# List of systemd services that matrix-element-call.service depends on +matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_element_call_http_header_xss_protection: '' + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_element_call_http_header_frame_options: '' + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_element_call_http_header_content_type_options: '' + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_element_call_http_header_content_security_policy: '' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_element_call_http_header_content_permission_policy: '' + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_element_call_http_header_strict_transport_security: '' + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_element_call_content_permission_policy` +matrix_element_call_floc_optout_enabled: false + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_element_call_http_header_strict_transport_security` +matrix_element_call_hsts_preload_enabled: false + +# Enable or disable metrics collection +matrix_element_call_metrics_enabled: false +matrix_element_call_metrics_port: 2112 diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml new file mode 100644 index 000000000..21f1808fc --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -0,0 +1,49 @@ +--- +# roles/custom/matrix-element-call/tasks/install.yml + +# Ensure Required Directories Exist +- name: Ensure matrix-element-call paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_element_call_base_path }}" + - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element" # Directory for element.json + +# Ensure Configuration Files are in Place +- name: Ensure Element Call config.json is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_element_call_base_path }}/config.json" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call Docker labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_element_call_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure matrix-element-call Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_element_call_container_image }}" + source: pull + force_source: "{{ matrix_element_call_container_image_force_pull }}" + register: element_call_image_result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: element_call_image_result is not failed + +# Systemd Services for Element Call +- name: Ensure matrix-element-call systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + mode: 0644 diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml new file mode 100644 index 000000000..183c0c6ed --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Main task file for matrix-element-call + +- tags: + - setup-all + - setup-element-call + - install-all + - install-element-call + block: + - when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-element-call + block: + - when: not matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml new file mode 100644 index 000000000..c93837b63 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -0,0 +1,21 @@ +--- +# Uninstall tasks for matrix-element-call + +- name: Stop and remove matrix-element-call container + community.docker.docker_container: + name: "matrix-element-call" + state: absent + +- name: Remove matrix-element-call systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + state: absent + +- name: Remove matrix-element-call configuration files + ansible.builtin.file: + path: "{{ matrix_element_call_base_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml new file mode 100644 index 000000000..3b6712727 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- +# Validate configuration for matrix-element-call + +- name: Fail if required matrix-element-call settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_element_call_base_path', when: true} + - {'name': 'matrix_element_call_container_network', when: true} + - {'name': 'matrix_element_call_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 new file mode 100644 index 000000000..4ad4e2b51 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -0,0 +1,11 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "{{ matrix_homeserver_url }}", + "server_name": "{{ matrix_domain }}" + } + }, + "livekit": { + "livekit_service_url": "{{ matrix_livekit_jwt_service_public_url }}" + } +} diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 new file mode 100644 index 000000000..014add79a --- /dev/null +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -0,0 +1,46 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +# Network configuration for Traefik +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +# Path prefix handling for Element Call +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} + +traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} +{% endif %} + +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-element-call.service=matrix-element-call +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +{% if matrix_element_call_container_labels_traefik_tls %} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_element_call_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 new file mode 100644 index 000000000..a22ff17f1 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Element Call Service +{% for service in matrix_client_element_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-element-call \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + --mount type=bind,src={{ matrix_element_call_base_path }}/config.json,dst=/app/config.json,ro \ + {% if matrix_element_call_container_http_host_bind_port %} + -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ + {% endif %} + --label-file={{ matrix_element_call_base_path }}/labels \ + {% for arg in matrix_element_call_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_element_call_image }} + +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-element-call + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-element-call/vars/main.yml b/roles/custom/matrix-element-call/vars/main.yml new file mode 100644 index 000000000..cb65e277c --- /dev/null +++ b/roles/custom/matrix-element-call/vars/main.yml @@ -0,0 +1,3 @@ +--- + +matrix_element_call_public_url: "{{ matrix_element_call_scheme }}://{{ matrix_element_call_hostname }}" diff --git a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml new file mode 100644 index 000000000..859708729 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml @@ -0,0 +1,81 @@ +--- + +# Project source code URL: https://github.com/element-hq/lk-jwt-service + +matrix_livekit_jwt_service_enabled: false + +matrix_livekit_jwt_service_scheme: https +matrix_livekit_jwt_service_hostname: "" +matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service" + +matrix_livekit_jwt_service_base_path: "{{ matrix_base_data_path }}/livekit-jwt-service" + +matrix_livekit_jwt_service_container_network: '' + +matrix_livekit_jwt_service_container_http_host_bind_port: '' + +matrix_livekit_jwt_service_container_additional_networks: "{{ (matrix_livekit_jwt_service_container_additional_networks_auto + matrix_livekit_jwt_service_container_additional_networks_custom) | unique }}" +matrix_livekit_jwt_service_container_additional_networks_auto: [] +matrix_livekit_jwt_service_container_additional_networks_custom: [] + +# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service +matrix_livekit_jwt_service_version: latest-ci + +matrix_livekit_jwt_service_container_image_self_build: false +matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git" +matrix_livekit_jwt_service_container_repo_version: "{{ 'main' if matrix_livekit_jwt_service_version in ['latest', 'latest-ci'] else livekit_server_version }}" +matrix_livekit_jwt_service_container_src_files_path: "{{ matrix_livekit_jwt_service_base_path }}/container-src" + +matrix_livekit_jwt_service_container_image: "{{ matrix_livekit_jwt_service_container_image_name_prefix }}element-hq/lk-jwt-service:{{ matrix_livekit_jwt_service_version }}" +matrix_livekit_jwt_service_container_image_name_prefix: "{{ 'localhost/' if matrix_livekit_jwt_service_container_image_self_build else 'ghcr.io/' }}" +matrix_livekit_jwt_service_container_image_force_pull: "{{ matrix_livekit_jwt_service_container_image.endswith(':latest') }}" + +matrix_livekit_jwt_service_container_labels_traefik_enabled: true +matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_livekit_jwt_service_container_network }}" +matrix_livekit_jwt_service_container_labels_traefik_hostname: "{{ matrix_livekit_jwt_service_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/lk-jwt-service`). +matrix_livekit_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_livekit_jwt_service_path_prefix }}" +matrix_livekit_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_livekit_jwt_service_container_labels_traefik_hostname }}`){% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_livekit_jwt_service_container_labels_traefik_priority: 0 +matrix_livekit_jwt_service_container_labels_traefik_entrypoints: web-secure +matrix_livekit_jwt_service_container_labels_traefik_tls: "{{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints != 'web' }}" +matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom` +matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto: {} +matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_livekit_jwt_service_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_livekit_jwt_service_container_extra_arguments: [] + +# Controls the LK_JWT_PORT environment variable +matrix_livekit_jwt_service_environment_variable_lk_jwt_port: 8080 + +# Controls the LIVEKIT_KEY environment variable +matrix_livekit_jwt_service_environment_variable_livekit_key: "" + +# Controls the LIVEKIT_URL environment variable +matrix_livekit_jwt_service_environment_variable_livekit_url: "" + +# Controls the LIVEKIT_SECRET environment variable +matrix_livekit_jwt_service_environment_variable_livekit_secret: "" + +# Additional environment variables for the container +matrix_livekit_jwt_service_environment_variables_additional: {} + +# List of systemd services that LiveKit JWT Service service depends on +matrix_livekit_jwt_service_systemd_required_services_list: "{{ matrix_livekit_jwt_service_systemd_required_services_list_default + matrix_livekit_jwt_service_systemd_required_services_list_auto + matrix_livekit_jwt_service_systemd_required_services_list_custom }}" +matrix_livekit_jwt_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_livekit_jwt_service_systemd_required_services_list_auto: [] +matrix_livekit_jwt_service_systemd_required_services_list_custom: [] diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/install.yml b/roles/custom/matrix-livekit-jwt-service/tasks/install.yml new file mode 100644 index 000000000..1900ac6f3 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/install.yml @@ -0,0 +1,69 @@ +--- + +- name: Ensure LiveKit JWT Service paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_livekit_jwt_service_base_path }}" + +- name: Ensure LiveKit JWT Service support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_livekit_jwt_service_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure LiveKit JWT Service container image is pulled + community.docker.docker_image: + name: "{{ matrix_livekit_jwt_service_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_livekit_jwt_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_container_image_force_pull }}" + when: "not matrix_livekit_jwt_service_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: "matrix_livekit_jwt_service_container_image_self_build | bool" + block: + - name: Ensure LiveKit JWT Service repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_livekit_jwt_service_container_repo }}" + version: "{{ matrix_livekit_jwt_service_container_repo_version }}" + dest: "{{ matrix_livekit_jwt_service_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_livekit_jwt_service_git_pull_results + + - name: Ensure LiveKit JWT Service container image is built + community.docker.docker_image: + name: "{{ matrix_livekit_jwt_service_container_image }}" + source: build + force_source: "{{ matrix_livekit_jwt_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_livekit_jwt_service_container_src_files_path }}" + pull: true + +- name: Ensure LiveKit JWT Service container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_livekit_jwt_service_container_network }}" + driver: bridge + +- name: Ensure LiveKit JWT Service systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-livekit-jwt-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service" + mode: 0644 diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/main.yml b/roles/custom/matrix-livekit-jwt-service/tasks/main.yml new file mode 100644 index 000000000..7713acc1d --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-jwt-service + - install-all + - install-livekit-jwt-service + block: + - when: matrix_livekit_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_livekit_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-livekit-jwt-service + block: + - when: not matrix_livekit_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml new file mode 100644 index 000000000..b898af8d6 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of LiveKit JWT Service systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service" + register: matrix_livekit_jwt_service_service_stat + +- when: matrix_livekit_jwt_service_service_stat.stat.exists | bool + block: + - name: Ensure LiveKit JWT Service systemd service is stopped + ansible.builtin.service: + name: matrix-livekit-jwt-service + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure LiveKit JWT Service systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service" + state: absent + + - name: Ensure LiveKit JWT Service paths don't exist + ansible.builtin.file: + path: "{{ matrix_livekit_jwt_service_base_path }}" + state: absent diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml new file mode 100644 index 000000000..5d393d629 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if required LiveKit JWT Service settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] | length == 0" + with_items: + - {'name': 'matrix_livekit_jwt_service_hostname', when: true} + - {'name': 'matrix_livekit_jwt_service_container_network', when: true} + - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_key', when: true} + - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_url', when: true} + - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_secret', when: true} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/env.j2 b/roles/custom/matrix-livekit-jwt-service/templates/env.j2 new file mode 100644 index 000000000..d8613b453 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/templates/env.j2 @@ -0,0 +1,7 @@ +LK_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port | int | to_json }} + +LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }} +LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }} +LIVEKIT_SECRET={{ matrix_livekit_jwt_service_environment_variable_livekit_secret }} + +{{ matrix_livekit_jwt_service_environment_variables_additional }} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 b/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 new file mode 100644 index 000000000..91b615a7a --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 @@ -0,0 +1,48 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }} + +traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} + +{% set middlewares = [] %} + +{% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-livekit-jwt-service-slashless-redirect'] %} + +traefik.http.middlewares.matrix-livekit-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-livekit-jwt-service-strip-prefix'] %} +{% endif %} + +{% if matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-livekit-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-livekit-jwt-service-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-livekit-jwt-service.rule={{ matrix_livekit_jwt_service_container_labels_traefik_rule }} + +{% if matrix_livekit_jwt_service_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-livekit-jwt-service.priority={{ matrix_livekit_jwt_service_container_labels_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-livekit-jwt-service.service=matrix-livekit-jwt-service + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-livekit-jwt-service.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-livekit-jwt-service.entrypoints={{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints }} + +traefik.http.routers.matrix-livekit-jwt-service.tls={{ matrix_livekit_jwt_service_container_labels_traefik_tls | to_json }} + +{% if matrix_livekit_jwt_service_container_labels_traefik_tls %} +traefik.http.routers.matrix-livekit-jwt-service.tls.certResolver={{ matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_livekit_jwt_service_container_labels_additional_labels }} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 b/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 new file mode 100644 index 000000000..0c2127a17 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix LiveKit JWT Service +{% for service in matrix_livekit_jwt_service_systemd_required_services_list %} +After={{ service }} +Requires={{ service }} +{% endfor %} + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-jwt-service 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-livekit-jwt-service \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_livekit_jwt_service_container_network }} \ + {% if matrix_livekit_jwt_service_container_http_host_bind_port %} + -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} \ + {% endif %} + --env-file={{ matrix_livekit_jwt_service_base_path }}/env \ + --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \ + {{ matrix_livekit_jwt_service_container_image }} + +{% for network in matrix_livekit_jwt_service_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-livekit-jwt-service +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-jwt-service + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-livekit-jwt-service + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-livekit-jwt-service/vars/main.yml b/roles/custom/matrix-livekit-jwt-service/vars/main.yml new file mode 100644 index 000000000..c2d7ce3e7 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/vars/main.yml @@ -0,0 +1,3 @@ +--- + +matrix_livekit_jwt_service_public_url: "{{ matrix_livekit_jwt_service_scheme }}://{{ matrix_livekit_jwt_service_hostname }}" diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml new file mode 100644 index 000000000..5c0d8bf42 --- /dev/null +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -0,0 +1,211 @@ +--- + +# Project source code URL: https://github.com/livekit/livekit + +livekit_server_enabled: false + +livekit_server_identifier: livekit-server + +livekit_server_uid: '' +livekit_server_gid: '' + +livekit_server_base_path: "/{{ livekit_server_identifier }}" +livekit_server_config_path: "{{ livekit_server_base_path }}/config" + +# renovate: datasource=docker depName=docker.io/livekit/livekit-server +livekit_server_version: v1.8.0 + +livekit_server_scheme: https +livekit_server_hostname: "" +livekit_server_path_prefix: / + +livekit_server_container_network: "{{ livekit_server_identifier }}" + +livekit_server_container_additional_networks: "{{ livekit_server_container_additional_networks_auto + livekit_server_container_additional_networks_custom }}" +livekit_server_container_additional_networks_auto: [] +livekit_server_container_additional_networks_custom: [] + +# Controls whether the LiveKit Server container exposes its RCT TCP port (`livekit_server_config_rtc_tcp_port`) +# +# Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. +livekit_server_container_rtc_tcp_host_bind_port: "{{ livekit_server_config_rtc_tcp_port if livekit_server_container_network != 'host' else '' }}" + +# Controls whether the LiveKit Server container exposes its RTC UDP port range and which interface to do it on. +# +# Takes an interface "" (e.g. "127.0.0.1"), or empty string to listen on all interfaces. +# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening. +# +# The UDP port-range itself is specified using `livekit_server_config_rtc_port_range_start` and `livekit_server_config_rtc_port_range_end`. +livekit_server_container_rtc_range_listen_interface: "{{ '' if livekit_server_container_network != 'host' else 'none' }}" + +livekit_server_container_image_self_build: false +livekit_server_container_repo: "https://github.com/livekit/livekit.git" +livekit_server_container_repo_version: "{{ 'main' if livekit_server_version == 'latest' else livekit_server_version }}" +livekit_server_container_src_files_path: "{{ livekit_server_base_path }}/container-src" + +livekit_server_container_image: "{{ livekit_server_container_image_name_prefix }}livekit/livekit-server:{{ livekit_server_version }}" +livekit_server_container_image_name_prefix: "{{ 'localhost/' if livekit_server_container_image_self_build else 'docker.io/' }}" +livekit_server_container_image_force_pull: "{{ livekit_server_container_image.endswith(':latest') }}" + +livekit_server_container_labels_traefik_enabled: true +livekit_server_container_labels_traefik_docker_network: "{{ livekit_server_container_network }}" +livekit_server_container_labels_traefik_hostname: "{{ livekit_server_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +livekit_server_container_labels_traefik_path_prefix: "{{ livekit_server_path_prefix }}" +livekit_server_container_labels_traefik_rule: "Host(`{{ livekit_server_container_labels_traefik_hostname }}`){% if livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" +livekit_server_container_labels_traefik_priority: 0 +livekit_server_container_labels_traefik_entrypoints: web-secure +livekit_server_container_labels_traefik_tls: "{{ livekit_server_container_labels_traefik_entrypoints != 'web' }}" +livekit_server_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `livekit_server_container_labels_traefik_additional_response_headers_custom` +livekit_server_container_labels_traefik_additional_response_headers: "{{ livekit_server_container_labels_traefik_additional_response_headers_auto | combine(livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +livekit_server_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': livekit_server_http_header_xss_protection} if livekit_server_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': livekit_server_http_header_frame_options} if livekit_server_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': livekit_server_http_header_content_type_options} if livekit_server_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': livekit_server_http_header_content_security_policy} if livekit_server_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': livekit_server_http_header_content_permission_policy} if livekit_server_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': livekit_server_http_header_strict_transport_security} if livekit_server_http_header_strict_transport_security and livekit_server_container_labels_traefik_tls else {}) + }} +livekit_server_container_labels_traefik_additional_response_headers_custom: {} + +# livekit_server_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# livekit_server_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +livekit_server_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +livekit_server_container_extra_arguments: [] + +# Additional environment variables for the container +livekit_server_environment_variables_additional: {} + +# List of systemd services that LiveKit Server service depends on +livekit_server_systemd_required_services_list: "{{ livekit_server_systemd_required_services_list_default + livekit_server_systemd_required_services_list_auto + livekit_server_systemd_required_services_list_custom }}" +livekit_server_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +livekit_server_systemd_required_services_list_auto: [] +livekit_server_systemd_required_services_list_custom: [] + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +livekit_server_http_header_xss_protection: '' + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +livekit_server_http_header_frame_options: '' + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +livekit_server_http_header_content_type_options: '' + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +livekit_server_http_header_content_security_policy: '' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +livekit_server_http_header_content_permission_policy: '' + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +livekit_server_http_header_strict_transport_security: '' + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `livekit_server_content_permission_policy` +livekit_server_floc_optout_enabled: false + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `livekit_server_http_header_strict_transport_security` +livekit_server_hsts_preload_enabled: true + +# Holds the final LiveKit Server configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `livekit_server_configuration_yaml` or `livekit_server_configuration_extension_yaml`. +livekit_server_configuration: "{{ livekit_server_configuration_yaml | from_yaml | combine(livekit_server_configuration_extension, recursive=True) }}" + +# Default LiveKit Server configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `livekit_server_configuration_extension_yaml`) +# or completely replace this variable with your own template. +livekit_server_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +livekit_server_configuration_extension_yaml: | + # Your custom YAML configuration for LiveKit Server goes here. + # This configuration extends the default starting configuration (`livekit_server_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `livekit_server_configuration_yaml`. + # + # Example configuration extension follows: + # + # logging: + # level: debug + +livekit_server_configuration_extension: "{{ livekit_server_configuration_extension_yaml | from_yaml if livekit_server_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Controls the `port` configuration property. +livekit_server_config_port: 7880 + +# Controls the `rtc.tcp_port` configuration property +livekit_server_config_rtc_tcp_port: 7881 + +# Controls the `rtc.port_range_start` configuration property +livekit_server_config_rtc_port_range_start: 50100 + +# Controls the `rtc.port_range_end` configuration property +livekit_server_config_rtc_port_range_end: 50120 + +# Controls the `rtc.use_external_ip` configuration property. +# When set to true, attempts to discover the host's public IP via STUN. +# This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one. +livekit_server_config_rtc_use_external_ip: true + +# Controls the `keys` configuration property. +livekit_server_config_keys: "{{ livekit_server_config_keys_auto | combine(livekit_server_config_keys_custom, recursive=True) }}" +livekit_server_config_keys_auto: {} +livekit_server_config_keys_custom: {} + +# Controls the `logging.level` configuration property. +# Known values: debug, info, warn, error +livekit_server_config_logging_level: info + +# Controls the `logging.pion_level` configuration property +livekit_server_config_logging_pion_level: error + +# Controls the `logging.json` configuration property. +# When set to true, emits json fields. +livekit_server_config_logging_json: false + +# Controls the `logging.sample` configuration property. +# For production setups, enables sampling algorithm. +# See: https://github.com/uber-go/zap/blob/master/FAQ.md#why-sample-application-logs +livekit_server_config_logging_sample: false diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml new file mode 100644 index 000000000..cec65bb64 --- /dev/null +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -0,0 +1,77 @@ +--- + +- name: Ensure LiveKit Server paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ livekit_server_uid }}" + group: "{{ livekit_server_gid }}" + with_items: + - {path: "{{ livekit_server_base_path }}", when: true} + - {path: "{{ livekit_server_config_path }}", when: true} + - {path: "{{ livekit_server_container_src_files_path }}", when: "{{ livekit_server_container_image_self_build }}"} + when: "item.when | bool" + +- name: Ensure LiveKit Server configuration installed + ansible.builtin.copy: + content: "{{ livekit_server_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ livekit_server_config_path }}/config.yaml" + mode: 0640 + owner: "{{ livekit_server_uid }}" + group: "{{ livekit_server_gid }}" + +- name: Ensure LiveKit Server labels file installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ livekit_server_base_path }}/labels" + mode: 0640 + owner: "{{ livekit_server_uid }}" + group: "{{ livekit_server_gid }}" + +- name: Ensure LiveKit Server container image is pulled + community.docker.docker_image: + name: "{{ livekit_server_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ livekit_server_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_container_image_force_pull }}" + when: "not livekit_server_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: "livekit_server_container_image_self_build | bool" + block: + - name: Ensure LiveKit Server repository is present on self-build + ansible.builtin.git: + repo: "{{ livekit_server_container_repo }}" + version: "{{ livekit_server_container_repo_version }}" + dest: "{{ livekit_server_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: livekit_server_git_pull_results + + - name: Ensure LiveKit Server container image is built + community.docker.docker_image: + name: "{{ livekit_server_container_image }}" + source: build + force_source: "{{ livekit_server_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ livekit_server_container_src_files_path }}" + pull: true + +- name: Ensure LiveKit Server container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ livekit_server_container_network }}" + driver: bridge + +- name: Ensure LiveKit Server systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/livekit-server.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service" + mode: 0644 diff --git a/roles/custom/matrix-livekit-server/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml new file mode 100644 index 000000000..2929a2917 --- /dev/null +++ b/roles/custom/matrix-livekit-server/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-livekit-server + - install-all + - install-livekit-server + block: + - when: livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-livekit-server + block: + - when: not livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-livekit-server/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml new file mode 100644 index 000000000..141fe0c21 --- /dev/null +++ b/roles/custom/matrix-livekit-server/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of LiveKit Server service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service" + register: livekit_server_service_stat + +- when: livekit_server_service_stat.stat.exists | bool + block: + - name: Ensure LiveKit Server is stopped + ansible.builtin.service: + name: "{{ livekit_server_identifier }}" + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure LiveKit Server systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service" + state: absent + + - name: Ensure LiveKit Server paths don't exist + ansible.builtin.file: + path: "{{ livekit_server_base_path }}" + state: absent diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml new file mode 100644 index 000000000..1b7139d10 --- /dev/null +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required LiveKit Server settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] | length == 0" + with_items: + - {'name': 'livekit_server_hostname', when: true} + - {'name': 'livekit_server_identifier', when: true} + - {'name': 'livekit_server_uid', when: true} + - {'name': 'livekit_server_gid', when: true} diff --git a/roles/custom/matrix-livekit-server/templates/config.yaml.j2 b/roles/custom/matrix-livekit-server/templates/config.yaml.j2 new file mode 100644 index 000000000..a9317735c --- /dev/null +++ b/roles/custom/matrix-livekit-server/templates/config.yaml.j2 @@ -0,0 +1,27 @@ +port: {{ livekit_server_config_port | int | to_json }} + +bind_addresses: + - "0.0.0.0" + +rtc: + tcp_port: {{ livekit_server_config_rtc_tcp_port | int | to_json }} + port_range_start: {{ livekit_server_config_rtc_port_range_start | int | to_json }} + port_range_end: {{ livekit_server_config_rtc_port_range_end | int | to_json }} + use_external_ip: {{ livekit_server_config_rtc_use_external_ip | to_json }} + +turn: + enabled: false + domain: localhost + cert_file: "" + key_file: "" + tls_port: 5349 + udp_port: 443 + external_tls: true + +keys: {{ livekit_server_config_keys | to_json }} + +logging: + level: {{ livekit_server_config_logging_level | to_json }} + pion_level: {{ livekit_server_config_logging_pion_level | to_json }} + json: {{ livekit_server_config_logging_json | to_json }} + sample: {{ livekit_server_config_logging_sample | to_json }} diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 new file mode 100644 index 000000000..fb93ebea8 --- /dev/null +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -0,0 +1,49 @@ +{% if livekit_server_container_labels_traefik_enabled %} +traefik.enable=true + +{% if livekit_server_container_labels_traefik_docker_network %} +traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.{{ livekit_server_identifier }}.loadbalancer.server.port={{ livekit_server_config_port }} + +{% set middlewares = [] %} + +{% if livekit_server_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + [livekit_server_identifier + '-server-slashless-redirect'] %} + +traefik.http.middlewares.{{ livekit_server_identifier }}-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + [livekit_server_identifier + '-strip-prefix'] %} +{% endif %} + +{% if livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in livekit_server_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.{{ livekit_server_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + [livekit_server_identifier + '-add-headers'] %} +{% endif %} + +traefik.http.routers.{{ livekit_server_identifier }}.rule={{ livekit_server_container_labels_traefik_rule }} + +{% if livekit_server_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.{{ livekit_server_identifier }}.priority={{ livekit_server_container_labels_traefik_priority }} +{% endif %} + +traefik.http.routers.{{ livekit_server_identifier }}.service={{ livekit_server_identifier }} + +{% if middlewares | length > 0 %} +traefik.http.routers.{{ livekit_server_identifier }}.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.{{ livekit_server_identifier }}.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }} + +traefik.http.routers.{{ livekit_server_identifier }}.tls={{ livekit_server_container_labels_traefik_tls | to_json }} +{% if livekit_server_container_labels_traefik_tls %} +traefik.http.routers.{{ livekit_server_identifier }}.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ livekit_server_container_labels_additional_labels }} diff --git a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 new file mode 100644 index 000000000..6ff03d660 --- /dev/null +++ b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=LiveKit Server +{% for service in livekit_server_systemd_required_services_list %} +After={{ service }} +Requires={{ service }} +{% endfor %} + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ livekit_server_identifier }} \ + --log-driver=none \ + --user={{ livekit_server_uid }}:{{ livekit_server_gid }} \ + --cap-drop=ALL \ + --network={{ livekit_server_container_network }} \ + {% if livekit_server_container_rtc_tcp_host_bind_port != '' %} + -p {{ livekit_server_container_rtc_tcp_host_bind_port }}:{{ livekit_server_config_rtc_tcp_port }} \ + {% endif %} + {% if livekit_server_container_rtc_range_listen_interface is not in [none, 'none'] %} + -p {{ livekit_server_container_rtc_range_listen_interface }}{{ ':' if livekit_server_container_rtc_range_listen_interface else '' }}{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}:{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}/udp \ + {% endif %} + --mount type=bind,src={{ livekit_server_config_path }}/config.yaml,dst=/livekit-config.yaml,ro \ + --label-file={{ livekit_server_base_path }}/labels \ + {{ livekit_server_container_image }} \ + --dev --config /livekit-config.yaml + +{% for network in livekit_server_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ livekit_server_identifier }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ livekit_server_identifier }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier={{ livekit_server_identifier }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-livekit-server/vars/main.yml b/roles/custom/matrix-livekit-server/vars/main.yml new file mode 100644 index 000000000..87f0be0dd --- /dev/null +++ b/roles/custom/matrix-livekit-server/vars/main.yml @@ -0,0 +1,3 @@ +livekit_server_public_url: "{{ livekit_server_scheme }}://{{ livekit_server_hostname }}{{ livekit_server_path_prefix }}" + +livekit_server_websocket_container_url: "ws://{{ livekit_server_identifier }}:{{ livekit_server_config_port}}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 7e3abf2f5..a107d36af 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -15,6 +15,7 @@ matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" matrix_static_files_public_path: "{{ matrix_static_files_base_path }}/public" matrix_static_files_public_well_known_path: "{{ matrix_static_files_public_path }}/.well-known" matrix_static_files_public_well_known_matrix_path: "{{ matrix_static_files_public_well_known_path }}/matrix" +matrix_static_files_public_well_known_element_path: "{{ matrix_static_files_public_well_known_path }}/element" # List of systemd services that matrix-static-files.service depends on matrix_static_files_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" @@ -203,6 +204,16 @@ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin: "{{ matri matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: {} matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_custom: {} +# Controls whether `org.matrix.msc4143.rtc_foci`-related entries should be added to the client well-known. +# By default, if there are entries in `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci`, we show them (by enabling this). +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | default({}) | dict2items | length > 0 }}" + +# Controls the org.matrix.msc4143.rtc_foci property in the /.well-known/matrix/client file. +# See `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled` +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto | combine(matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom, recursive=True) }}" +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: {} +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom: {} + # Default /.well-known/matrix/client configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -350,6 +361,56 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f ######################################################################## +######################################################################## +# # +# Related to /.well-known/element/element.json # +# # +######################################################################## + +# Controls whether a `/.well-known/element/element.json` file is generated and used at all. +matrix_static_files_file_element_element_json_enabled: true + +# Controls the call.widget_url property in the /.well-known/element/element.json file +matrix_static_files_file_element_element_json_property_call_widget_url: '' + +# Default /.well-known/element/element.json configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_static_files_file_matrix_support_configuration_extension_json`) +# or completely replace this variable with your own template. +matrix_static_files_file_element_element_json_configuration_json: "{{ lookup('template', 'templates/public/.well-known/element/element.json.j2') }}" + +# Your custom JSON configuration for /.well-known/element/element.json should go to `matrix_static_files_file_element_element_json_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_static_files_file_matrix_support_configuration_extension_json`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_static_files_file_matrix_support_configuration_json`. +# +# Example configuration extension follows: +# +# matrix_static_files_file_element_element_json_configuration_extension_json: | +# { +# "call": { +# "url": "value" +# } +# } +matrix_static_files_file_element_element_json_configuration_extension_json: '{}' + +matrix_static_files_file_element_element_json_configuration_extension: "{{ matrix_static_files_file_element_element_json_configuration_extension_json | from_json if matrix_static_files_file_element_element_json_configuration_extension_json | from_json is mapping else {} }}" + +# Holds the final /.well-known/matrix/support configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_static_files_file_element_element_json_configuration_json` or `matrix_static_files_file_element_element_json_configuration_extension_json`. +matrix_static_files_file_element_element_json_configuration: "{{ matrix_static_files_file_element_element_json_configuration_json | combine(matrix_static_files_file_element_element_json_configuration_extension, recursive=True) }}" + +######################################################################## +# # +# /Related to /.well-known/element/element.json # +# # +######################################################################## + + ######################################################################## # # # Related to index.html # diff --git a/roles/custom/matrix-static-files/tasks/install.yml b/roles/custom/matrix-static-files/tasks/install.yml index 3cbd9d4c6..b70079434 100644 --- a/roles/custom/matrix-static-files/tasks/install.yml +++ b/roles/custom/matrix-static-files/tasks/install.yml @@ -2,17 +2,19 @@ - name: Ensure matrix-static-files paths exist ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_static_files_base_path }}" - - "{{ matrix_static_files_config_path }}" - - "{{ matrix_static_files_public_path }}" - - "{{ matrix_static_files_public_well_known_path }}" - - "{{ matrix_static_files_public_well_known_matrix_path }}" + - {path: "{{ matrix_static_files_base_path }}", when: true} + - {path: "{{ matrix_static_files_config_path }}", when: true} + - {path: "{{ matrix_static_files_public_path }}", when: true} + - {path: "{{ matrix_static_files_public_well_known_path }}", when: true} + - {path: "{{ matrix_static_files_public_well_known_matrix_path }}", when: true} + - {path: "{{ matrix_static_files_public_well_known_element_path }}", when: true} + when: "item.when | bool" - name: Ensure matrix-static-files is configured ansible.builtin.template: @@ -52,6 +54,10 @@ dest: "{{ matrix_static_files_public_well_known_matrix_path }}/support" when: "{{ matrix_static_files_file_matrix_support_enabled }}" + - content: "{{ matrix_static_files_file_element_element_json_configuration | to_nice_json }}" + dest: "{{ matrix_static_files_public_well_known_element_path }}/element.json" + when: "{{ matrix_static_files_file_element_element_json_enabled }}" + # This one will not be deleted if `matrix_static_files_file_index_html_enabled` flips to `false`. # See the comment for `matrix_static_files_file_index_html_enabled` to learn why. - content: "{{ matrix_static_files_file_index_html_template }}" @@ -70,6 +76,12 @@ state: absent when: "not matrix_static_files_file_matrix_support_enabled | bool" +- name: Ensure /.well-known/element/element.json file deleted if not enabled + ansible.builtin.file: + path: "{{ matrix_static_files_public_well_known_element_path }}/element.json" + state: absent + when: "not matrix_static_files_file_element_element_json_enabled | bool" + - name: Ensure matrix-static-files container image is pulled community.docker.docker_image: name: "{{ matrix_static_files_container_image }}" diff --git a/roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 b/roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 new file mode 100644 index 000000000..68d13f098 --- /dev/null +++ b/roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 @@ -0,0 +1,7 @@ +{ + {% if matrix_static_files_file_element_element_json_property_call_widget_url %} + "call": { + "widget_url": {{ matrix_static_files_file_element_element_json_property_call_widget_url | to_json }} + } + {% endif %} +} diff --git a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 index 86882893a..600e8f4c7 100644 --- a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 +++ b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 @@ -57,4 +57,7 @@ {% if matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_enabled %}, "cc.etke.synapse-admin": {{ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin | to_json }} {% endif %} + {% if matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled %}, + "org.matrix.msc4143.rtc_foci": {{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | to_json }} + {% endif %} } diff --git a/setup.yml b/setup.yml index cb5fd7a1a..86b9dfa7f 100644 --- a/setup.yml +++ b/setup.yml @@ -133,6 +133,9 @@ - custom/matrix-coturn - custom/matrix-media-repo - custom/matrix-pantalaimon + - custom/matrix-element-call + - custom/matrix-livekit-server + - custom/matrix-livekit-jwt-service - role: galaxy/postgres_backup